10.3. Verifying that IdM Kerberos KDC can use PKINIT and that the CA certificates are correctly located

Procedure

1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card:

   $ kinit -X X509_user_identity=PKCS11: idmuser1
   MyEID (sctest)                   PIN:

2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/managing_smart_card_authentication/troubleshooting-authentication-with-smart-cards#testing-smart-card-access-on-the-system

3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

   1. Verify the CA chain is listed in the default certificate bundle file using openssl commands:

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
      subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority
      
      issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority

   2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1:

         $ pkcs11-tool --list-objects --login
         [...]
         Certificate Object; type = X.509 cert
           label:      Certificate
           subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
          ID: 01

      2. Read the user certificate information from the smart card in DER format:

         $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
         Using slot 0 with a present token (0x0)

      3. Convert the DER certificate to PEM format:

         $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

      4. Verify the certificate has valid issuer signatures up to the CA:

         $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
         cert.pem: OK

4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

   1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using:

      $ pkcs11-tool --list-objects --type cert --login
      Using slot 0 with a present token (0x0)
      Logging in to "MyEID (sctest)".
      Please enter User PIN:
      Certificate Object; type = X.509 cert
        label:      Certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
        ID:         01
      Certificate Object; type = X.509 cert
        label:      Second certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
        ID:         02

   2. Run kinit with certificate ID 01:

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
      MyEID (sctest)                   PIN:

5. Run klist to view the contents of the Kerberos credentials cache:

   $ klist
   Ticket cache: KCM:0:11485
   Default principal: idmuser1@EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM

6. Destroy your active Kerberos tickets once you have finished:

   $ kdestroy -A